Overview
- Computer scientists at the University of Vienna and SBA Research exploited a weakness in WhatsApp’s Contact Discovery to enumerate accounts at roughly 100 million phone numbers per hour.
- The teams report gathering data for about 3.5 billion users, with profile photos visible for 57% of accounts and status messages for 29%.
- Researchers say additional attributes could be inferred, including operating system, account age, and connected devices such as WhatsApp Web.
- Meta acknowledged the findings through its bug-bounty program, implemented new rate limits, and tightened visibility settings for profile photos and statuses.
- WhatsApp’s end-to-end encryption for message content was not compromised, though the study underscores privacy risks from exposed metadata, including in countries where the service is banned such as China, Myanmar, and Iran.